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BACKGROUND OF THE INVENTION 

This invention relates generaHy to computer rieiworks, and more pariicuiarly 
prcjvides a system and method for globaily and securely accessing unified 
information r* a computer net^vork. 

10 

2. Description of the Background Art 

The internet currently Interconnects about 100,000 computer networks and 
several niilHor> computers. Each of these computers stores numerous applicotiori 
programs for providing numerous servic-ies, such as generatlr^g, sending and 

IS receiving e-mail: accessing World Wide Web sites, generating arKJ receiving 
fecsimile documer^ls, storing and retrieving data, etc, 

A roaming user, i.e.: a user who travels and accesses a workstation 
remotely. Is faced with several problems. Program riesigners have developed 
commun;oatior? tef.^hnique& tor enabling the roaming user to establish a 

20 communications link and to download r^eeded Irvfonnation and needed service 

application programs from the remote workstation to a local computer. Using these 
techniques: the roarr^ing i.;ser can manipulate the data on th« itsnsuifci workstation 
and: when finished, can upload the manipulated data bacK from the rem.ote 
v/orkstation to the local computer. I icvi/ever, slow computers and slow 
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corrsrn Li nioatioa channels make downloading large fsles and progranis a lims- 
consuming process. Further, downioadino files and progfa.ms across insecure 
cha?>nels severely threatens the integrity arsd confidentiality of the downloaded data. 
Data consistency i^) also a significant cor?cern for the roaming user. For 

5 example, when maintaining multiple independently rrK,)d;nab;e copies of a 

document, a user risks using ar- outdated version. By the time ihe user notices an 
inconsistency, interparty nViSCommursication or data loss may have aiready resulted. 
The user must then spend more time attempting to reconcile the inconsistent 
versio.ns and addressing ar?y rniscommunicalions, 

li} The problem of data inconsistency is exacerbated when nvjltiple copies of a 

document are maintained at different network iooations, F-or example, due to 
network secunty systems such as conventional firev^all technology, a user may 
have access only to a particular one of these network locations. Without access to 
the other sites, the user cannot contlrrrs that the version on the accessible site is the 

IS most recent draft. 

Data consistency problerns may also arise v-,fhen using appiic-ation programs 
tron^ different vendors. For exarnpie, the Netscape Navigator''^- web engine and the 
Inlernct Expiorer'"^' engine each store bookrru^rks for quir;k reference to 
interesting web sites, hkiwever, since each web engine uses different forn^ats and 

20 stores bookmarks in dilfererU tiles, the bookmarks are not interchangeable, in 

addition, one web engine may store a r^esoeo oookmark, and the other may not. A 
user who. for f?,Kample, runs the iruerriel Explorer'^'' web engine at home ai-^d runs 

3 
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trie Netscape Navigator--* web engine ai work risks having Inccjnsisteni t-ookmarkf> 
at each iocation. 

Therefore, a system and method are needed to enab;e n1uitip^^ users to 
access computer services remoteiy without consuming excessive user time, without. 
5 severely threatening the integrity and confidentiality of itie data, ar^d without 
compromising >data consistency. 

The present invention provides s system and methods for prov1dir=g giobal 
and secure access to services and to unitled (synchronised) workspace esements in 

tO a computer network, A user can gain access to a global server using sny tenninai: 
which is connected via a computer netv/ork such as t.he Internet to ih& global server 
and which is enabled with a web engine, 

A client stores a first set of workspace data, and is coupled via a con^puter 
network to a giobal server. The client is configured to synchronise selected portions 

15 of the first set of workspace data (comprising workspace eiernents) with the global 
server, whioh stores independently modifiable copies of the selected portbns. The 
global server may aiso store wori';space data not received frofTi the client, such as 
e -maii sent directly io tne global server. Accordingly, the global server stores a 
second set of workspace data The global server is configured to identif\'~ and 

2.0 authenticate a user attempting to access it from a remote terminal, and is 

coris;gu?ea lo provide access based on the client configuration either to the set 
of workspace data stored on the client or to the second set of workspace data 
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stored an the global server. It will be appreciated tr^al the global server oars 
manage rriuitipie cWeutu and can synonronsze workspace data bet\vee{i clients 

Service eng;nes for managing ses-vices such as e--rnai! managen-ent: 
accessif-iq bookmarks, caiencianng, network acoess, etc- may be stored anywhere 
s in the compute? network, including on the olienl, on the global server o" on any 
other computer. The oiobaf server is configured lo provide the user v^fith access to 
services, which based or^ levei of authentication management or user preferer?oes 
may indude only a su'bset of available services. Upon receiving a service request 
from the client, the global server sends configuration information to er^afole access 

10 to the service. 

Each ciieru' includes a base system and the global sen-'er includes a 
synchronization agent. The base system, and synchronteation agerit auton^atically 
establish a secure connection therebetween and synchronize the selected portions 
of the tlrst set of woj1<space data stored on the client and the second set of 

15 workspace data stored on the global sen,''er. The base system operates on the 
client and examines the selected portions to >detem-ine Vs/hether any workspace 
elements have been rriodined since last synchronization. l"'he synchronization 
agent operates on the global sea-er and snforrns the base system whether any of 
the workspace elerrients in the second set have been modified, ycsditled version 

20 rnay tl?en be exchanged so that an updated set of workspace elements may be 
stored at both locations, and so that the ren?ote user can acce&js kipuyted 
database. It a conflict exists between two versions, the base system then performs 
a responsive action such as examining content and generatlr^g a preferred version. 
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which rfiay be stored at both locations The system may further inckicie a 
synchronization-Stan module at the olient sice (whsch may be protected by a firevvall) 
that initiates snterconnection and syncruonizatiors wher? predeteffT^iiied cntaria have 
been satisfied, 

5 A method of the present invention includes establishing a communicatioriS 

link between the oiient and the global server. The method includes establisi^.irK.) a 
comniunications link beb-veen the client and a sers^ice based upon user requests. 
The method receives contlguration data and uses the configuration data to 
configure the diem components such as the operating system, the vveb engine and 

10 other components. Configuring ciierrt conuxinerUs enables the client to 
communicate with the sen/ice and provides a user-and- service- specific user 
interface on the client. Establishing a comm^unicaticns link may also include 
oontimiing access privileges. 

Another method uses a global translator to syrschronize workspace elements. 

IS The method includes the steps of selecting workspace elements for 

synchror>lzauon, estebiishing a communicatjons Nnk beb,veen a client and a glofoei 
server, examining version Infofmation for each of the workspace elements on the 
client and on the global ser^/er to determine workspace elements v^hlch have been 
modified since last synchronization. The method continues by comparing the 

20 corresponding versions and perforrr?ing a resporssive action. Responsive actions 
may include st.ohng the prefeneo version at t)oth stores or reconciling the versions 
using r^oritent-based analysis 
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The system and methods of the present irsvention advantageously provide a 
secure globally accessible third party, i.e. the globai server. The system and 
methods provide a secure technique for enabling a ufser to access the globaf server 
and thus workspace data rerrioteiy and secufeiy. Because of the global nrevvail and 
5 the identrHcBtlon and security services performed by the global server, corporations 
can store relatively secret infomiatior^ on the global sor^'er for use by aiithorizod 
clients Yet, the present ir?ventior^ also enables corporatior?s to maintain only a 
portion of their secret information on the global server, so thai there Vv'ould be only 
limited loss should tne global server be compromised. Further, the global server 

ICS may advantageously act as a client proxy for corjtrolling access to ser^/ices, logging 
use of keys and logging access of resources. 

A Ciient user «rho maintains a vvorl< site, a home site, an off-site and Ihe 
global server site can securely synchronize the v^iorkspsce data or portiorss thereof 
among all four sites. Further, the predetenY^lrsed criteha (whroh control vv'hen the 

rs synchroni/:atlon-stan. module Initiates synchronization) may be set so tt^at tfie 
general synchronisation n^odule synchronizes the workspace data upon user 
reciuesf., at predetermined iirnes during the day such as while the user Is 
commuting, or after a predetermined user action such as user log-off or user log-on, 
Bef.:ause the system and method operate over the internel, the systerrs ss accessible 

::o using ar^y connected terminal having a web engine such as an internet-ersabled 
smart pnone, television settop (e.g., Vi/eb TV), etc. and is accessible over any 
distance. Since ihe system and rriethod include format translafloi\ merging of 
workspace elements between different application progran'ss and different platforms 

6 



is possible Furinef, because synchrc>nizal!or? is initlatfid fron^ within tiie firewaiK the 
typical tirewail, which prevents in-bound communications and only sojiis prolocois 
of out-bound cofrjmunications, ck>8s not act as ars impediment to workspace 
element synchronization 

Further, a roaming user may be enabled lo access workspace data from the 
Giobai server or may be enabled to access a service for accessing workspaoe data 
from a client. For exauiple, a user may prefer not to store personal irnormation on 
the giobai server but rnay prefer to t^ave remote arxess to trie infonTu^tion. Further, 
the user may prefer to store higliiy confidential workspace elements on the client at 
work as added security should tr-e giobai server be compromised. 

The present invention may further benefit the roaming user who needvS 
emer-gency access to Inforft^ation. The roaming user may request a Management 
Ir^fonnation Systems (^vIlS) director- contr-oliing the client lo provide the global &e-:ver 
with the proper keys to enable access to the ir^formation or^ the client. If only 
temporary access is desired, the keys can then be later destroyed eitfier 
automaticBliy or upon request, Aiternativeb/, the fvliS director r'nay select the 
needed inlbrmation as workspace elements to be synchronized and may request 
immediate synchronization with the global server, Accordingiy. the global server 
and trse client can synchronii-e the needed Information, and tf^e iiser can access the 
intormatior; frorTi the giobai server after it f?a3 oorYipieted synchronization. 

The present invention also enables the system arso nseuuids to synchronize 
keyS; avaliabie services and corresponding service addresses to update 
accessibility of workspace data and services. For exarr^ple. if the user of a client 



accesses a site on the kUef net wh:ch requires a digital certificate and the user 
obtains the certificate, the syj^terr: and methods of the present ir?vention ;7iay 
synchronize thss mv^ly obtained ceriitlcsste with the keys stored on the giobai server. 
Thus, Ihe user need not. contact the global server to provide ii with the information. 
5 The synchfor^izaiion means will synchronize the Information uutomaticaiiy. 
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FiG 1 is a biock diagram ilU.is;trat;ng a secure ciala- synchronizing remdteiy 
accessible network in accordance with the present invention; 

FIG. 2 !S a bloci-? diagram Illustrating details of a FIG. 1 remote terrrsinai: 
FiG 3 Is a t)icck diagram iHustraliris details of a FIG. 1 global sea-er; 
FIG-. 4 is B block, diagram illustrating details of a FIG 1 synchronization 

agent; 

FIG>, 5 is a grapiiica! representation of sn exarrjple bookmark in global 

forr^iat; 

flG. 6 is a grapiiical representation of the FIG, 3 configuration data; 
FIG, 7 la a block diagram illustrating the details of a FIG, 1 client; 
FIG. 8 is a block diagram illustrating the details of a FIG. 1 base system; 
FIG,9 illustrates an example sen/Ices list; 

FIG. 10 Is a flowchart Illustrating a method for re-3motely accessing s secure 

server; 

FIG. 1 1 is a flowchart illustfating details of the FIG, 10 step of creating a link 
bet'A'een a client and global server; 

FIG, 1.2 is a fiowcharf Illustrating details of the FIG. 10 step of providing 
acx^ess to a service in a first emtoodinient; 

FIG, 13 is a fiowohart illustri^ting details of the FIG. 10 step of providing 
access to a service In a second embodiment; 

FIG. 14 Is a fiowcnart illustrating fietalls of the FIG. 10 step of providing 
access to a service In a third embodlmer\t; and 

9 
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FIG, 15 is a tlQWcriart iilustrating a method for syr^chronizing multiple copies 
of 3 workspace elemem over a secure rsetworK, 

DETAILED PESCRU-^TION OF THE PREF:ERRED..EMBODjM£Nl^ 
FIG. 1 is a block diagram silustraUng a network 100, comprising a first Sile 
5 such as a remote computer terminal 105 coupled via a conimunioatiof^s channe; 
1 10 to a giobal server 1 1 5. The global server 1 15 is in turn coi4jleci via a 
comnuinications cbannel 120 to a second si^e suets as a Local Area Network (LAN) 
125 and via a oommunioations channel 122 to third site >3uch as ciie.nt 167, 
Communications channel 110, ccmmunications channel 120 ar^d communications 
IQ channel 122 may be referred to as components of a computer network such as the 
Internet. The global server 115 Is protected by a global fsrevvail 130, arKJ the LAN 
125 is protected by a LAN firevvafl 135, 

The LAN 125 corrsprises a dlent 165, v/hich Includes a base system 170 for 
synchronizing workspace data 180 (e- mali data, file data, calendar data, user data, 
15 etc.) with the global &er-j&r 115 and may Include a service engine 176 for providing 
computer services such as sctieduliruj, e-mail, paging, word-processing or the like. 
Those skilled ir^ the art will recognise that workspace data 180 may include other 
types of data such as application programs. It will be further appreciated nrat 
workspace data 180 may each be divided into workspace elements, wherein each 
20 Ys^orkspace element may be identified by particular version information 782 (FIG. 7). 
For example, each e-mail, file, calendar, etc, may be rererreo to as "a workspace 
element in workspace data.' For simplicity, each workspace eien:ent on the cliern 
165 is referred to herein as being stored In ibrmat A. It wi5l be further appreciated 



that the v>.'-of kspace r^ata 180 or portions thereof may be stored at different focations 
such as Ic3caily or? the client 165. on other syJ^'f^^^'S m the IAN 125 or on other 
aysterYis (not fthovvn) connecied to the giobai server 115, 

TIk? client 16? is similar to tr>e ciianl 165. However, workspace data stored 
on the dienl 167 is referred to as besng stored in format B, whsoh rr^ay be the sanie 
as or differer-st than forreat A, .Ail aspects described above arsd below with 
reference to the clier^t 165 are also possibie with ree>pect to the cJierst 167, For 
example, client 167 rnay include sen/ices (not shown) accessible frorYi remote 
terminal 105, may inckide a base system (not slsown) for synchroniEing workspace 
elementvS with the sjlobai seiver 1 15, etc. 

The giobai server 115 includes a security system 160 for providing only an 
Esiithorized user with secure access tfuougii firewalls lo services. The security 
system 160 rr^ay perform identification and authentication services and may 
accordingly enable multiple levels of access based on the level of identification and 
authentication. l"he global server 1 15 further ir^^cludes a cor^tlguration system 155 
thai downloads configuratior? data 356 (FiGs. 3 and 6) to the remote terminal 105 to 
configure remote temiinal 105 compo.nents such as the operating system .270 (FIG. 
2), the web engine 283 (FIG. 2), trie applet engine 290 (FIG, 2), etc. The 
configuration system 155 uses the configuration dtrta 356 to enable the remote 
terminal 105 to access ihe services provided by the ser/;ce engine 175 ar^.d io 
provide a ussr-and-servsce-speafsc user interface. 

The giobai server 115 steles workspace data 163, which inciudes an 
independently modifiable copy of each selected v^orkspace eslement in the selected 



portions of the workspace data 180, Accordingiy, the workspace data 163 inciudes 
an indeper^dentiy modifiabie copy of oach corresporKii?K| versiofi infornvistion 782 
(FIG 7), The workspace data 163 rnay also include workspace elements which 
originate on the global server 1 16 such as e-mails sent directly to the global server 

s 116 or workspace eie?Tiervls which are downloaded fror-n another client (not showr^). 
The giobai server 1 16 maintasns the workspace data 163 in a format, referred to as 
a 'global format," which is selected to be easily translatable by the giobai trar?slator 
1 50 to and from format A arsd to arKJ Troni format B. As with format A and format 8. 
one skilled in the art knows that the global format actually irjcludes a global format 

10 for each informatbn type. For example, there may be a giobai format for 

bookmarks (FIG. S), a global format for files, a global forrr^at for calendar data, a 
giobai format for e mails, etc. 

The giobai server 115 also includes a synchronization agent 145 for 
examining the workspace elements of workspace data 163. More particulariy, the 

IS base system 170 and the synchronizalior^i agent 146 , collectively referred to herein 
as "synohronizatlor^ means/' cooperate to synchronize the workspace data 163 
with the seiecled portions of the workspace data 180. The synchronization means 
may Individually synchronize workspace elements (e.g., specific word processor 
documents) or may synchronize workspace element folders (e.g., a bookmark 

20 folder). Gef>eraliy, the base system 1 70 manages the selected portions of the 
worKspace data 180 withsn the LAN 125 and the synchronization agent 145 
manages the selected portions of workspace data 163 within the giobai server 115. 
It v/ili be appreciated that the global translator 1 50 cooperates with the 

12 



synchronization mear^s to transiate between format. A (or format 8) and the global 
format U will be turi.hef appreciated thai the globai server 1 15 may synciironize tne 
workspace data 163 witis workspace data 180 and with the wori^space data (noi 
shewn) or- the ciie?n 167., Accordingly, the workspace data 163 can be easily 

5 synchrcnized with the workspace data (not shown) on tiie client 167. 

The remote terminal 106 includes a v./eb engine 140. which sends requests 
io the global server 115 ar?d receives information to display frorn the global server 
1 1 5 The web engir>e 140 rrsay use l-lyperText Transfer Protocol (HTT P) and 
HyperText Markup Language (HTML) to interface with the global server 1 15. The 

iii vmb engine 140 rnay be enabled to rur- applets, which v^hen executed operate as 
the seourily interface for providing access to the global server 115 and which 
operate as the application interface w;th the requested service. Using the present 
invention, a user can operate ar?y remote client 105 connected to the Internet to 
access the global server 1 1 5, and Lhus to access the sai-vices and the workspace 

15 data on or accessible by the global sefver115. 

FIG. 2 is a block diagram iiiustraiing details of the remote terrrdnai 105< which 
includes a Central Processing Unit (CPU) 210 such as a Motoroia Power PC 
microprocessor or an Intel PentiurrV" micrrr^processor. An input device 220 such as 
a keyboard and mouse, and an output device 230 such as a Cathcde Ray Tube 
(CRT) display are coupled via a signal bus 235 io CPu ^10. A communicalior^s 
interface 240, a data storage device 25G such as Read Only Memory (ROy) ar^d a 
magnetic disk, and a Random-Access ^bflemory (F^M) 260 are further coupled via 

13 
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signal bus 235 to CPU 210. The communicaijons imerface 240 is coupled to a 
comrriunications channel 1 10 as shovvrs in FIG. 1. 

An operating system 27{) inciudes a program for controlfing processing by 
CPU 2.10, and is typscraliy stored in data stortige device 250 and loaded into RA^/i 

5 260 (as shown) for executiors. Operating system 270 further :'.^clude5 s 

comniursications engine 27S tor generating and transferring rriessage packets via 
the communications interface 240 to and from the comrrmrjicalions chanr^e! 110. 
Operatir-jQ system 270 further includes an Operating System (OS) oonfejuraiion 
module 27B, which configures the operating system 270 based on OS connguration 

10 data 358 (F"IG. 3) such as Transmission Control Protocol (TCP) data, Domain Name 
Server (DNS) addresses, etc received from the global server 115. 

Operating system 270 further includes the web engine 140 for 
communicating with the global server 115, The wab engine 140 may ifu-;lude a web 
engine (WE) configuraiio?) module 286 for configuring elerner?ts of the web engine 

S5 140 such as home page addresses, bookmarks, caching data: user preferences, 
etc, based on the connguration data 356 received from the global sen/er 1 15. "The 
web engine 140 may also include an encryptior? engine 283 for using encryption 
ier;hniques to communicate with the global sepv'er 115. Ttie web engir^e 140 further 
may include an applet erigine 290 for harKiling the e.xecutiDn of downloaded appiets 

20 including applets for providing security. Ti-^e applet engir?e 290 may incli;de ars 
Applet Engine (AE) contsgurauon rriodule 295 for r:.or^figuring the elements of the 
applet engine 290 based on configuration data 356 received from the global server 
115. 

14 
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FIG. 3 is a bicsck ciiagran-s iilustraling details of the global sefver 115, which 
includes a Central ProcesslfH} Unit {CPU) 310 such as a Motorola Power PC" 
microprocessor or ar> IrUel Pentium microprocessor. An input device 320 such as 

5 a i<eyb03rd and mouse, and an output device 330 such as & Cathode R^y Tube 
(CRT) dispiay are coupled via a signal bus 335 to CPU 310. A communications 
interface 340, a data storage device 35C} such as Read Or^ly Memory (ROM) and a 
magnetic disk, and a Random- Access Memory (RAM) 370 are further coupled via 
signal bris 335 to CPU 310. As shown in FIG. 1, the cornmunicatiorss interface 340 

10 is coupled to the commLinlcations channel 1 10 and to the communications channel 
120. 

.An operating system 380 includes a program for controlling processing by 
CPU 310, and is typlcaliy stored in data storage device 350 and loaded snto RAM 
370 {as illustrated) for exeoutian. The operating system 380 furtfier includes a 

5 5 oorr^rrsunications engine 382 for generating and transferring message packets via 
the communications ir?terface 340 to and from the con-jmunications channel 346, 
The operc^ting system 380 also includes a web page engine 39S for transmitting 
web page data 368 to the remote terr^inal 105, so that the remote terminal 105 can 
display a web page SCO (FIG. 9) listing functionality offered by the global server 

::0 115. Other web page data 368 n>ay inciude Information for displaying security 
J nethod sele otio.ns . 

The operating system 380 may include an applet host engine 3S5 tor 
tr^nsmiiting applets to the remote terminal 106 A cor^figuratlon engir^e 38S) 



opf;rates in conjunction with the applet host Gngine 395 for transmitting 
oonnguratson applets 35S and configuration and usar dc-$la 356 to the remole " 
terminal 105. The remote terrrilnai 105 executes the configii ration applets 359 and 
uses the configuration and ueer data 356 to configure the elements (e.g., the 
s operatifjg system 270, the web engine 140 and the applet engine 290) of the 

remote terminal 105. (Configuration and user data 356 is described sn greater detail 
with reference to FIG. 6. 

Tfie operating system 380 also includes the syncbronlzation agent 145 
described with reference to F\G. 1. The synchronization agent l-^IS synci'sronizes 

10 the workspace data 163 on the global server 115 with the workspace data 180 on 
the cNeril 165. As stated above with reference to FtG. 1, tiie global translator 150 
translates between format A used by the client 165 and the global format used by 
tiie giobai server 116. 

The operating system 380 may also includes a security engine 392 for 

15 determining whether to instruct a commuriications engine 382 to create a secure 
communications link with a riiient 165 orterrTiina! 105, ar^d for determining the 
access rights of the user. For example, the security' engine 39.2 forwards to tiie 
client 165 or rerrsote terminal 105 security applets 362. which when executed by the 
receiver poll the user and respor?d back to the global server 1 15, "The global sen/er 

20 115 can examine the response to identify and authenticate the user. 

For example, when a client 165 attempts to acv>.;ss die global server 115. the 
security engine 384 determines whether the global server 1 1 5 accepts in bound 
communications from a particular port. If so, the security engirse 392 allows the 
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comnvjnications engsne 382 to open a comrrvurjicatiorus channel 345 to the client 
165. Oihemise: no channer WiO be opened. After a channel is opened, the securiiy 
engine 392 forwards an authentication security applet 362 to the remote teffr^inal 
105 to poll the user for idenUfjcation and authentication inforn^ation such as for a 
uses- SD and a password. The auiheniicaiion security applet 362 will generate and 
forAsard a response back to the global sen^/er 115, which will use the ir^formation to 
verify the identity of the user and provide access accord;r>gly. 

It vS\ be appreciated that a I'equest-servicing engine" may be the 
contlasjration er-glne 389 arni the applet host engine 385 wher? providing services tcs 
a rerrsote terminal 105 or clierU 165. The request-servicing er?gir^e niay be the web 
page engine 398 v/nen perrorming workspace data 183 retrseval operations directly 
from the global server 115. The request-servicing engine may be the configuration 
engine 389 and the applet hosi engine 395 when perforrnsng workspace data 180 
retrieval operations from the client 165 or from any other site connected to the 
global server 115, The request-sen/icing engine may be secunty engine 392 when 
performir?g security seA/ices such as user identification and authentication. The 
request-servicing engine may be the synchronization agent when the performing 
synchronization with the client 165, Further, the request-servicing engine may be 
any combination of these cornponents. 

FIG. 4 is a Oiocr^ diagram illustrating details of the synchronisation agent 14S, 
which includes a communications module 406 and a general synchfonizaiion 
module 410, The con-KTHjnIcattons module 405 inciudss routines for corr?pressing 



data and routines for communicating via the communicalions channel 120 with Uie 
base systefTi 170. l"he communications rncsdule 405 may further include routines for 
corrimunicating securely channel through the global firewall 130 am through the 
IAN firewall 125, 

The general synchronization niodule 410 includes routines for dotemiining 
whether workspace elements have been synchronized 3nd routines for fopA'arding 
to the base systeit^ 170 version information (not shown) of elements determined to 
be modified after last synchronlxation. The general synchronization module 410 
may eiiiier maintain its own last synct-irorii^ation signature (not shown), receive a 
copy of the last synchronisation signature with the request to synchronize frorrs the 
base system 170. or any other means for insuring that the workspace data has 
been synchronized. The general synchronization rnodute 410 further indudes 
routines for receiving preferred versions of workspace data 180 workspace 
elements frof?^ the base system 170, and routines tor fo.avardin9 preferred versions 
of v>/ori<space data 180 y-/orkspaoe elements to the base system 170. 

FIG, 5 illustrates an example bookmark woritspace element ir^ the global 
format The translator 150 incorporates all the Information r^eeded to translate 
betvs'-een ail incorporated forrnals. For example, if for a first client a br>okniark in 
format A needs elements X, Y and Z ar?d for a second client a bookmark in format B 
needs elements W, .K and Y, the global translator 150 incorporates eienients vv', a. 
Y and Z to g©r?erate a bookmark in the global format Further, the translator 150 
Incorporates the information which is needed by ihe synciironization means (as 
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described belovj sn FIG. 4) such as the last modified date. .Accordingly, a bookmark 
in the Global Format may include a user identificatloa (ID) 505, an enir>' ID 5iQ, a 
parsnl 10 515, a folder ID fiag 520, a name 525, a description 530< the Unifoi-m 
Resource Locator (URL) 535, the position 540, a deleted ID flag 545, a last 
modified date 550, a created date 555 and a separalion ID flag 560. 



FiG, 6 is a block diagram illustrating details of the configuration and user 
data 366, Configuration data 356 includes settings 605 such as TCP data and the 
DNS address, web browser settirtgs such as home page address, bookmarks and 
caching data, applet engine settings, and applet contlguration data suci) as the 
user's e-mail address, name and signature block. It will he appreciated that applet- 
specific confsguratlon and user data 356 is needed, sir^ce the service rrsay not be 
located on the user's own local ciient 165. Configuration and user data 366 further 
inoiudes predetemiined user preferences 610 such as font, window size, text size, 

Configuration data 356 further includes the set of sefvices 615, which will be 
provided to tt?e user. Sen/ices 615 include a list of registered users and each user's 
list of user-preferred available senj'ices 615. Ser./ices may also include a list of 
auiiientication levels rseeded to access the services 515. Configuration and user 
data 137 furttser includes service addresses 620 specifying the location of each of 
the services 615 accessible via tl-se global ^aesver l 16, 
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FiG, 7 is a block diagrarr^ iHuRtratsng details, of lha dienl 165, which indudes 
a CPU 705, an input davsca 710, an output device 725, a cosnmuinications inierface 
71 C\ a data stcjrage device 720 and RAM 730, each coupted to a signal bu?; 740. 
An operaiifsg system 735 includes a prograns for controHing processing by 

s tne CPU 705, and is typically stored in the data stofvage device 720 and loaded into 
the RAM 730 (as iliustrsted) for execution. A service engine 175 includes a service 
program for managing workspace data 1B0 that includes version information {not 
shown). The service engine 175 may be also stored in the data storage cievsce 720 
and loaded into the RAM 730 (as illustrated) for execution. The workspace data 

io 180 may be stored in the data storage device 330. As stated above with reference 
to FIG. 1, the base system 170 operates to synohronfee the wori<space data 1B0 on 
the ciient 165 with the workspace data 163 on the global sen/er 115. The base 
system 170 may be also stored in fhe data storage device 7'20 md loaded into ih;e 
FV^M 730 (as shown) for execution. The base system 1 70 is described in greater 

15 detail with reference to FIG. 8, 

FIG. 8 is a biock diagram illustrating details of the t>ase systerr? 170, which 
includes a communicatb.ns rnodule 805, a user interface module 810, locator 
modules 81 5, a syncnronizatson -start C'synch -starf ) moduie 820, a general 
20 synchror?izat:on nn^dule S25 and a content-based synch;oni,Katior? module 830. For 
Simplicity, each mouuie i» ^iiustrated as cornrnunicatirK.} v/ith one another vsa a signal 
bus 840, It will be appreciated that the base systerrs 170 includes the same 
(.■;omponants as inctuded In the synchronisation agent 145. 
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The cortimunications module 805 includes routines tor compressing data, 
and routines for communicating via the communicalions interface 710 (FIG. 7} wilh 
ihe synchronization agent 145 (FK5, 1). The comrnuriications rr^odule 805 may 
snciude rouOnes to? applying Secure Socket Layer (SSL) technology and user 

s Ideru.iilcation and authentication techniques (I.e., digital certlflcales) to establish a 
secure communication channel tf-irough the I...AN fire'vvall i 35 and through the global 
flrevvali 130. E!5ecause syr?chronixalion is initiated from within the U^^4 firewall 135 
and uses commonly enabled protocols such as Hyperlext Transfer F^rotocol 
(HT TP), the typical flrev^'all 135 which prevents in-bound comniunlcations in general 

50 and some outbound protocols does not act as an impediment to e-m-ail 

synchronization. Examples of cornmunlcatloris modules 805 may include "TCP/IP 
stacks or the AppleTsik'" protocol. 

The user interface 810 includes routines tor comimunlcating v^itr; a user, and 
may ir^ciuds a conventional Graphical User Interlace (GUI). The user interface 810 

IS operates in coordination with the client 165 components as described herein. 
The locator m,odules 815 irK:Jude routines for identifying the memor>' 
iocations of the workspace elements in the workspace data 180 and the memory 
locations of the workspace elements in the workspace data 163, Workspace 
element rriemory" location identification may be impiemented using [ntelilgeni 

20 software, i.e., preset memory addresses or the sy,stenvs registry, or usl-:^a dialogue 
boxes to query a user, it will t.5e appreciated that the locator modules d sd may 
perform workspace element rnemsory location iderulCication upon system boot-up os' 
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afte? each communication with the global server 1 15 to niauitam updated rn&n-;ofy 
iocatior^s of workspace elements. 

The synchronization-start module 820 sndudes routines for determlninrs when 
to initiate synchronizaiion of workspace data 163 and workspace data 180, For 
exan-ple, the synchronization -start module 820 may snltiate data synchronization 
upon user reciuesi. at a particular time of day, aite- a predetermined tlnie pedod 
passes, after a predetsmiirsed number of changes, after a user ectlo;i such as user 
iog-off or upon like cnleria. The synchronization- start rr?odule 820 Initiates data 
synchror^izatlon by instructing the general synchronization nioduie 626 to begin 
executior> of Its routines, li will be appreciated that communscatlons with 
synch ronteatlon agent 145 preferably Initiate from within the LAN 126, because the 
typical L/hN firewall 126 prevents in-bound communications end allows out-bound 
eommunicatlons, 

Ti'se general synchronlzafton module 825 Includes routines for requesting 
version information from the synchronization agent 145 (FIG. 1) and routir?es for 
cornpari.",g the version information against a last synchronization signature 835 
sucr? as a last synchronization dale and time to determine which versions have 
been modified. The general synchronization module 825 further irjciudes routines 
for comparing the local and remote versions to deterrnir^e if only one or both 
versions of a particular workspace element have been modified and routines for 
perfom-iing an appropriate syncf?ronizsng responssve action. Appropriate 
syrjchronizing respor?siva actions mny include for»vardlng the modified version (as 
the preferred version) of a workspace element in workspace data 180 or forwarding 
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just a compilation of the changes to the oUie? $to?e($). Other appropriate 
synctironizing responsive actions may include, if feconciliatiori between two 
modified vers;ons is needed, then instructing the content-ba&ed synch*rDnizatian 
nioduie 830 to execute its routines (described below). 

5 it will be appreciated thai the eynctuor?izatioo agent 145 preferably exsnilnes 

the local version information 124 and forwards only the elements that have been 
modified since the last synchror^izatior^ signature 835 This iechniqije makes 
efficient use of processor power and avoids transferring tinnecessar/ data across 
the comniunioations cnannei 712, The general syrK-;hronization n-srjdute 825 in the 

so lAH 135 accordingly compares the data elements to determine if reconciiiation i^s 
needed. Upon compietion of the data syrK;hronizatR>n, the genefal synchronisation 
moduie 825 updates the last synchronization signature 835, 

The content-based synchronization module 830 includes foutir?es for 
reco,nciiing two or more modified versions of workspace data 163, 180 In the same 

\ s workspace element. For example, if the origir'sai and the copy of a user workspace 
eiernent have both been nx'^dified independently since the last sync'wonization, the 
content-based syr^chronization module 830 detennines the appropriate .responsive 
achon. The content- based synchronization module 830 may request a user to 
select the prefened one of the modified verssons or may respond based on preset 

20 preferences, i,e., by storing both versions in both stores or by integrating the 
changes iruo a ssngre preferred version which replaces each modified version at 
both stores. When both versions are stored at both stores, each version may 
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include a link to the other version so that, the user may be adv;sed to select the 
preferred version, 

It will be appreciated thai any c^Hent 165 that wants synchronization may 
have a bi^se system 170, Aiternatlvely, one base systerr? 17Q can manage rnulliple 
clients 165. It wlH be fiuther appreciated that for a thin client 165 of iirnlted 
ccrnputirKi power such as a smart lelepnone, all syncbronizatiors may be performed 
by the global server 115, Accordinaly, con'iponents of the base system 170 such as 
the user interface module 810, the locator rr^rxiules 8U\ the general 
synchronization module 826 and the content-based synohronrzaiior- module 830 
may be located on the global server 1 15. To initiate synch ronszation from the client 
165. the client 165 Irwiudes the conUTumlcations module B05 and the synch-start 
rrvodule 820, 

FIG, 9 illustrates an example list 900 of accessible sesvices provided by a 
URL-addressable Hyperlexi Markup Language (HTML)-based web page, as 
maintained by the web page engine 398 of the global sen/er 115. The list 900 
ir^oludes a title 910 ^'Remote User's Home Page/' a listing of the provided services 
616 arsd a pointer 970 for selecting one of the provided services 616. As iliustrated. 
the provided services may include ars e -m.ail ser^'ice 920, a calendaring sen^'ice 930. 
an inlemel access service 940, a paging service 950, a fax sending seivlce 960, 3 
user autheotication setvice 963 and a workspace data retneval service; 
.Although not shov.'n, other sen/Ices 615 SLich as bookmarking, OuickCa;-d'^'\ etc, 
may be included in the lisl 900. Although the web page provides the services 615 



in a list 900, other dala structures such as a pie chart or table niay alternstsvely be 
used. 

FIG. 10 is a flowchart illustrattng a method 1000 for enabling a user to 
access the sarvice^i 615 in the corriputer network system 100. Method 1000 begins 
by the remote terminal 105 in step 1005 creating a communications hnk wsth tt^e 
global server 115. The global server 115 in step 1010 confirms that the user has 
privileges to access ttre fi.ind.ionality of the gfobai server 115. Confirming user 
access privileges may include examinir?g a user certifice^te, obtaining a secret 
password, rising digital signature technology, performing a chalier^ge/response 
technique, etc. It will be appreciated that the security engine 392 may cause the 
applet host engine 395 to forward via the comft^unications chanr^el 345 to the 
remote tentiinal 105 en authentication security applet 362 which wher. executed 
communicates with tha global server 115 to authenticate the user. 

After user access privileges are confirmed, tlie web page angina 398 of the 
global server 115 in step 1016 transmits web page data 368 and configuration and 
use? data 366 to the remote terminal 106. The web engine 140 of the remote 
terrrunal 105 in step 1020 uses the web page data 368 and the configuration and 
user data 356 to display a web pjage service iist 900 (FIG 9) on the output device 
230, aad to enabte access to the services 616 which the global sen^'er 116 offe^rs. 
An example service list 900 is shown arui Described with reference t.o FIG. 9, 

Fn:)m the options listed on the v»feb page 900, tr-e user m step 1025 selects a 
service 615 via input device 220. !r> response, the request-semcing engine 
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(described with reference la 3) provkies the selected service 615. For 
example, the applet host engine 395 of the global server 115 m step 1030 may 
download to the remote lermina; 105 a corresponding applet 359 and canfigurauors 
and user data 356 for executing ihs requested se?vicx=; 615 Aiternatively, the web 
page engine 398 may use, for exarr?pie, hITTP and HTTvIL to fkovide the selected 
service 615. As described above with referer?ce to flG~ 6, the configurat.ian and 
user data 356 rnay Incsude user-specific preferer>ces such as user- preferred tor^ts 
for configuring the selected service 61 5 (Configuration and user data 356 may also 
include user-speclfic and service-speclfsc information such as stored bookmarks, 
calendar data, pager niin^sbers, etc. Alternatively, ^he corresponding applet 359 ar^d 
the configuration snd user data 356 could have been downloaded In step 1016. 
Froviding access to the service t>y an applet 3S9 is described in greater detail below 
with reference to FIGa, 12-14. 

The applet engine 2S0 of the remote terminal 106 sn step 1035 initiates 
execution of the correspor^ding downloaded applet. The giobai seive? 1 15 in step 
1040 initiates tr^o selected service 616 and in step 1045 selects one of three n^odes 
described with reference to F-IGs. 12-14 for accessing the se^v;c^3 615. For 
exarnple, if the user 5elef.:!s a sen/ice 615 on a service server (e.g., the client 155) 
that is not proter^ted by a separate fsrew-ail, then the global server 1 15 rYU^y provide 
the user vvith direr:t access. If the user selects a service 615 provided by a sen^ice 
server within tne LAN 125, then the global ser/er 1 15 may access the service 615 
as a proxy for the user. It will be appreciated that each firewall 130 and 135 may 
stor"e policies estcibllshing the proper mode of access the 9iot>al sesver 1 15 should 



select. Other factors tor selecting mode of access may include user preferer^ce, 
availability and feasibility. The global server 115 in step lOCiD uses the selected 
mode to provide the remote terminal "iOG user with access to the selected service 
615. 

5 

FIG. 11 is a fiov.'chart lllustraiina details of step 1005, which begins tjy the 
remote temiinal 105 in step 1106 using a knowr? Uriiform Resource Locator (URL. ) 
to ca;l the global server 1 1 5 The global sen.<er 115 ar?d the remote terminal 105 in 
step 11 07 create a secure communications channel therebetween, possibly by 

}o applying Secure Sockets Layer (SSL.) technology. That ss. the security engine 30.2 
of the global server 115 \x\ step 1110 detenmlr^es If in-bour^d secure co-Y^munications 
are perrnated and, if so, creates a communications channel with the remote terminal 
105, The web engine 140 of the remote terminal 105 and the secuhty engine 392 
of the global server 115 in step 1115 negotiate secure communications chanr^el 

15 parameters, possibly using public key cetllfsoates. An exanipie secure 

communications channel is RSA with RC4- encryption. Step 1116 thus may include 
selecting an encryption protocot which Is known by both ihe global seiver 115 and 
t!--e rerYiOte terminal 105. The er^cryptlon engine 283 of tlie remote terminal 106 and 
secure communications engjne 392 ofihe global server 1 15 in step 1 120 use the 

20 secure chanr?el pararTieters to create the secure communications channel. jMethod 
505 then ends. 
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VIG. 12 is a tlovvchart siiustrailng detaivs of step 1050 in & first embodsmerU, 
referred Xo as step 1060a, wherein the globai server 116 provides the remote 
terr?~isnal 105 with a direct connection to a servsce 616. Step 1050a begsns by the 
applet engine 290 in step 1205 running a configuration applet 359 for the selected 

5 service 615 that retrieves the serv-ice address 620 from datc^ storage device 380 
and the authenticatiorj inforry?auon frorn the keysafe 365. The communications 
interface 340 in step 1210 creates a direcl and secure con.necl.ion with the 
communications interface 340 of Vne global server 1 15 at tf-se retrieved service 
address 620, ar?d uses ti'ie authentication information to authenticate itself, 1 he 

10 applet in step 1215 acts as the I/O interface with the service 615. Step 1050a then 
ends, 

FIG. 13 is a flowchart iyustrating delails of step 1050 in a second 
embodiment, referred to as step 1050b, wherein the gtobal server 115 acts for the 

13 ramefe termir^ai 106 as a proxy to ti'^e service 616, Step 1050b begins with a 
configuration applet 359 m step 1305 reguesting the service address 620 for the 
selected service 61 5, which results ir? retrieving the servsce address 620 directing 
tne applet 359 io ihe global server 115. The applet 359 in step 1310 creates a 
connection with corrsrn>,.inications interface 340 of the global server 115. The global 

20 server 1 1 5 in step 1 31 5 retrieves tr^e service address 620 of the selected service 
615 and the authentication information ioi -ije .^elected service 615 froni the 
keysafe 365. The communications interface 340 of the global server 115 in step 
1320 negotiates secure channel parameters for creating a secure channel with trie 
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service server 1014, The comnvjnicatbns snierface 340 in step 132D also 
auihenticates itself as the user. 

Thereafter, the applet 359 in step 1326 ads as the I/O interface with the 
communications intenBce 340 of the global sen,'er 115. If the global server 1'i5 in 
step 1330 determines that it is unauthorized to perform a remote terminal 105 
users request, then the global server 1 15 in step 1345 determines whether ttie 
method l05Db ends, e.g., whether the user has quit If so, then method 1DB0t) 
ends. Otheavise, method 105Db returns to step 1325 to obtain another request, If 
the global server 1 1 6 ir? step 1 330 determines that \t is authorized to perfonn the 
remote terminal 105 user's request, then the giobai server 115 in step 1340 acts as 
the proxy for the r6?T>ote temiinal 105 to the service 615. As pro-xy, trie giobai 
server 115 fcMwards the service request to the selected servsce 615 and forwards 
responses to the requer>tir?g applet 359 currently executing on the remote terrT?i;iai 
105. Method 1050b then jumps to step 1345, 

FiG, 14 is a fiovs'-chart iiiustrating details of step 1050 in 3 third embodiment, 
referred to as step 1050c, wherein the service 615 being requested is iocaled 00 
the giobai sen/er 115. Step 10S0 begins with an applet in step 14D5 retrieving the 
service address 620 for the selected senv'ioe 615, which results in providing the 
configuration applet 359 with the service address 620 of the service 615 on the 
gluddi seiver 115. Thus, the applet in step 1410 creates a secure connection with 
the globa; server 115, No additional step of identification arui authei'^tication ss 
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needed since ihe ref-note terminal 106 has already identified auid autrsersticateci itself 
to the global server 115 as described witii reference tC5 step 1010 of f\G. 10. 

In step 1415, a determination Is made whether the service 615 is cun-ently 
running. If so, then in step 1425 a deterTOiriation Is made whether the service 615 
car> handle rn-.-itiple users, if srx then the globai server 115 in step 1430 creates an 
■nstance forUie user, and the applet in step 1440 acts as the i/0 interface vvith the 
service 616 on the giobai server 116, Method 1060c then ends. Otne;\vise, if the 
service 615 in step 1426 detenr^irses that It cannot handle rrjultiple users, ihen 
rnelhod 106Gc proceeds to step 1440. Further, it in step 1415 the giobai sen-'er 115 
so detennines that the service 615 is not currently rurtning, then the global ser^-er 1 15 
In step 1420 initializes the service 615 and proceeds to step 1425. 

FIG, 16 ;s a ilowchart illustrating a method 15Q0 tor using a global translator 
150 to synchronLze worl<space riata 163 and workspace data 180 in a secure 

IS nerxvork 1 00, fvtethod 1 500 begins with the user interface 900 ir^ step 1 506 enabling 
a user to select v^'orkspace eiements of workspace data 163 and workspace data 
180 for the synchror^izauor-s rrieans to synchronize. The locator modules 815 in step 
1510 Identify the memory iocatiorss of the workspace eiem>ents in workspace data 
163 and workspace data 180, If a selected workspace element does not have a 

20 corresponding memory location, such as in the ai&e of adding new worKspace 
elernerils to the giobai server 115, then one Is selected. The selected memory 
location may be a preexisiing workspace element or a new workspace element. .As 
slated above, workspace element memoi^ location identification may be 
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s?fiplemented using inteiiigent sostwsra or dialogue boxes. Trie general 
synchronization module 825 in step 1515 sets the previous status of the workspace 
elerrsersts equal to the nuil set, which indicates that ail information of the vvof1<space 
element has been added. 

The synchronlzaiion-staEt module 820 in step 1520 determines whether 
predetermined crsteria have been met vviilch indicate that synchrDr.ization of the 
workspace elements selected in step 1505 should start. If not, then the 
synchronizatson-start module S20 in step 1526 waits and loops back to step 1520, 
OUiemlse, the commanioatlons module 805 and the cornmur=ications module 405 in 
steo 1530 establish a secure communications channel therebetweefi 

The general aynchronij^-ation module 825 in step 1536 deterrrsines whether 
any workspace elements have been modified. That Is, the general syrschronization 
module 825 ir- step 1535 examir^es tiie version inform,c4ion of each selected 
wori<space element in the vsforkspace data 180 agajnst the last synchronization 
sigr^ature 435 to locate frsodhled workspace elements. This comparison may 
include comparing the date of last m=odit]cation with the date of last synchronization, 
or may Include 3 comparison between the current status and the previous status as 
of the last interaction. Similady. the general synchronization module 816 examines 
the versiO!^ information of each corresponding workspace element in workspace 
data 163 and the last syr?chronisation signature 435 to locate n-odified Vv-orkspace 
elements. 

if In step 1535 no modified workspace eiemsents or folders are located, then 
the general synohronl;Eayon module 825 in step 1560 updates the last 
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synchronization signature 436 and method 1500 ends. Othefwise, the -general 
synchronization module 825 in step 1S4D determines whether more than one 
version of a workspace eierrient has been modified since the last synchronization, 
if or?iy one version rias been r>iodifiec], then the corresponding genera! 

s synchronizatiori module 826 in step 1545 determines the changes made. As stated 
above, determinir?g the changes made may be impierr^errted tiy comparing the 
current statiss of the workspace element against the previous status of the 
workspace eiernent as of the iast interaction therebetween. If the chsnges were 
made oniy to the version in the workspace data 163. then the global tfa.nslator 150 

10 in step 1550 translates the ctmnges to the format used i^y ttie other store, and ihe 
generai synchronization moduie 410 in step 1555 forwards the translated changes 
to the general synchronization module 825 for updating the outdated workspace 
element In the workspace data 180. if the updated version is a workspace sierrient 
in ihe workspace data 180. then the generai synchrontzation module 825 sends the 

15 changes to the updated version to the global trarsslator 150 for translation and then 
to ihe general synch roni2:ation module 410 for updating the outdated workspace 
element jn the workspace data 153. The general synchronization moduie 825 and 
the general synchronization module 410 in step 1557 update the previous state of 
the workspace element to reflect the currer?t state as of this irueraction. K*ethod 

20 1 600 tl^ier? returns to step 1 635. 

VI cue general synchronization module 825 in step 1540 determines that 
multiple versions l?ave been modified, then the general synchronization module 825 
in step 1585 computes the changes to each version and in step 1570 instructs the 

32 



coritent-basad synchronizaiion module 830 to exan-sine corUent to detsrmhie If any 
GonHicts exist r^or example, the conterU-based synchronization module 630 may 
determir^e that s contlict exists if a user deletes a paragraph in one versior^ and 
modified the same paragraph in anott?er version. The content-based 

s synchronization module 830 may dstem^lne that a contlict does not exist If a user 
deietes dittereni paragraphs in each version, it no oonfilct is found, ib.en rr^ethod 
1500 jumps to step 1660 for tra?>slaling and fosv/arding the changes in each version 
to the other store. However, if a conflict is found, then the content- based 
syncfHor?ization module 830 in step 1575 recoru^iles the aiodified vc.fsions. As 

,10 stated above, reconoHiation may inciude requesting instructions from the user or 
based on previously selected preferences performing responsive actions such as 
storing both versions at both stores. It will be appreciated that, a link between tvvo 
versions may be placed in each of the two versior^s. so that the user will recognisie 
to exa?Tiine both versions to select the preferred version, Method 1500 then 

\ s proceeds to step 1 560, 

It w\i\ be further appreciated tha^ in step 1510 new workspace elements and 
preexisting workspace eiemenis to which new Vv'orkspace elements wdl be merged 
are set to "modified" and the previous status -s set to tf^e null set, Tf^us, ih^ general 
synchronization module 826 in step 1540 Vi'lll detenT=ine that more that one version 

20 has been modified and the corrtent-based synchronization module 830 in step 1670 
will detem -ine that r;o conflict e.xists. The changes in each v^m oe translated and 
forwarded to the other store. ,AccGrdingiy, tiie two versions v/sli be effectivaiy 
rr?erged and stored at each store. 
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For example, it a first books-nafk folder was created by truj web ersgine 140 on 
the client 165, a second folder was created by a web engine 140 on Ihe remote 
terrr?inal 105, no preexisting folder existed on the global server 1 15 c^nd the user 
selected eaob of these folderB for synchrorsizatiorr then the synchronization means 

5 win effectiveiy merge the first and seco?^>d folders. Thai is, the ger^erai 

synchronisrstion module 825 an the client 165 will determine thdd the first foider has 
been modified and the prnvious status is equal to the null set. The gerserai 
synchronization module 825 wiis determine and send the char^ges, i.e.; ail the 
workspace elements in the first folder, to a new global folder on the global server 

u) 115. Sir^^ilarly, the general syr^chronisation module (not shown) on the remote 

termir^al 105 will determine that, as of its last interaciton, the previous stsstus of each 
of the second and the global folders is the null sat. The general synchronization 
niodule 825 will Instruct the content-based synchronization module 830 to examine 
the changes made to each folder to determine whether s confhct e.xists. Since no 

IS contlicts will exist, the general synch ror5i2atiDr5 rr?odule S25 will fomard the changes 
to the global folder and the general synchronization rnr^duie 410 will forward its 
chariges to tb:e second store, thereby merging the workspace elements of the first 
and second folders in the global and second folders. The general syr?ciiro?=ization 
module 410 will irrform the general synchronization module rs25 that the global 

}ii folder has been modified relative to the last interaction, and wHi foi^A'ard the nev>/ 
changes to tl ie first folder. Thus, xne Tirst and second folders will be merged sr^d 
stored at each store, 
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The roregosng descripiion of the preferred embodiments of the invention is by 
way of exa?T!p!e only, and otiier variatiorss of the above-described err?bodirnents and 
methods are pnDvided by itse prei^ent inventson. For exampte, a server can be any 
computer v.'hich is poited by a client Thus, the remote torminai 105 may be 
referred to as a t/pe of client Although the system and method have been 
described v/sth reference to applets, other dQv\fr^loadabie executables such as 
Java''"' applets, Java'^ appHcatlons or ActiveX'" oonirol developed by the Microsoft 
Corporation can alterr-satively be used. Components of this Invention may be 
Implen-ented usir^g 3 programmed general-purpose digital corrsputer, using 
application specific integrated circuits, or using a network of intercormected 
ooru'entionai components and circuits. The embodiments descnbed herein htwa 
been presented for purposOvS of illustration and are not intended to be exhaustive or 
jimitirjc. Many variations and modifications are possible ;n hght of the foregoing 
teaching. The invejntlon ss iimited only by the following claims. 
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1. A system opeEating in a compuler network having a service, comprising: 

(a) a server apparatus Including 

s (i) a synchror-iz£4ior? agent for determining ?TSGdlfscation of a ses-ver 

vvorkspacoi element and oeneraling ses-ver results; and 
(ii) a control engine for provldKng control of the service; 

(b) a clie;nt apparatus including 

(i) 3 comrr^unlcr^iions engirie fcr corYimunicating with the serv-er 
10 and for receiving the server results from the server; and 

(ii) means for determining modification of a client workspace 
eterner^t, tor ger^erating ciier^t results, for comparing the client results 
with the sefver results , and for penbrmlng a resporssive 
sync'ironizatior^ action; and 

15 (c) a request-sei-vicing engine for conimunlcatino Vi?lth the control engine 

and for oor^tfolling the service. 

2. The system of claim 1, wherein 

the ser/er workspace elemerU Iru^.ludes server version infon-nation; and 
2.8 the synchronizatjon agent examir?es the ser/er version inforn -ation against a 

last synchronization signature to determine whether the se^v^; vvu^^space element 
has been modified. 
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3, "f'ae system of dsln-i 2, v/herein the syncnroriization agent updates the Gerver 
ve rsson in fo rrna lion . 



4. The system of cla;m 1 .. v-'herein the server further Includes a cordl-guration 
engine for delivering configuration data which cor-sfigures the «>efvice. 

5. The systerr? of ciasrri 1 , wherein the sesver further snciudes s comlguraiion 
engine for delivering coruiguratlon data which configures the controi engirse. 

6. The system of olalm 1 . wherein the client workspace element includes client 
version information and the means for determining compares the client version 
information against a last synchronization signature to determine wfieiher the clierst 
vvorkspace element fias bee.n modified. 

7. The system of claim 6, wherein the means for deterrrjining updates the client 
version information . 

8. The system of claim 1 , wherein the ser,/er uses a global format to store the 
server workspace element, the client uses a client format to store the dler^t 
vvorkspace element and the server further Indudes a gjobal trarssiator for translating 
between the client forma*. r.snu ir^e global format. 
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9. The system of claim 1 > wherein the server further indudes a securily engine 
io;- klentifV'ing and authenticatsng a usee before enabisng access from s remote 
client 

s 1 0 . The system of ctaim 1 , wherein the cifent is protected hy a firewall 

1 1 . The systern of claim 1 0, wherein the server further Includes a key for 
enabling communication through the firewa;i. 

sO 12, The system of c?alm 1 , wherein the dient further Includes a syr^chronteation- 
start module for inltiaiinQ the communtcatsons engine to establish a comrYiunicatlons 
chanr?ei with the server, 

13. The sysfem of dalr'n 1 ., wherein the responsive syr^chronizatlon action 
15 includes generating a preferred version frorrs the server workspace eiement and the 
client workspace eiement. 

14 The system of claim 1 3, 'vVi-'erelr? the client furtr>er inoludes a synchrorsizatlar^ 
moduie for examining the content of the senj'er workspace element and oixhe clisnt 
;:0 wori<space element when the rm^ans for determining cannot generate a preferred 
version because a cofiHIci exists. 
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1 5. The syztem of claim 1 , vvhereir? the conirol engine includes an applet rsosi 
eng;ne far transniilting an applet which controls tne ser^'ice to the fequest-servicing 
engine and the request- sen/icing engine iridudes an applet engine for execis^ing the 
applet. 

5 

16, The system of claim 1 , fu?llier comprising a user interface coypled to the 
control engine and enabling a user to request access io the service. 

17. The system of claim 16, wherein the ser/loe enables access to the client 
10 workspace element. 

18, The system of claim 1 , wherein the service uses the ciient workspace 
elerTvent. 

IS 19. T he system of claim 1 , whemin the service uses the server workspace 
eiement. 

20, The system of claim 1, whereir-; the service Is located on the sen/er 

.ao 21 , The r%'stern of claim 1 , whereif^ Uk^ service Is located on the ciserif, 

22. The system of ciaim 1, wherein the computer network includes q camputer 
providing the sea^oe. 
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23, A system capable of provkJing a servict; and a version-sy?^chror;i2ed 
workspace etement from a requesting client, comprising: 

a storage medium storing an address pointing to said $er>/ice; 

a communications irvtefface iov estabiisl-iing a communications linli witti ih.^ 

client: 

a re-quest-servicing engine coupled to the cominunications ii'it.erface for 
receiving a request for access to said service from the client; and 

access -providing means coupled to the storage medium and the ciient 
interface for providing access to said service to the client 

24, The system of claim 23, wherei;i the storage medium further stores an 
addioss pointing to the Vv/orkspace eientent, 

25, The system of ciain" 23. trirther coinprising a synchronization-start module 
initiating the camfT^unicatior?s interface to establish a communications link. 

26, The system of ciaim 23, vvi^erein the service is located on a remote 
computer. 

27, The system of cia:ru 2o., wHerein the system includes the ser>/ice. 

28, The system of claim 23, wherein the service Is boated on the clent 
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20. Ttie system of clairri 2d., wherein the client is protected by a fsrevvaii. 

30, The system of claim .29, whojresn the csient furlher co?r;prises a 

■1. svr?cnronization-stan module for initiating the communicatioriS interface to establish 
a communications iini<. 

31 , The system of cMw. 29, further con>prissng a key to enable access through 
the firewall. 

10 

32, The systerr^ of cisrm 23, further comprising a security engine tor perrbn-ning 
identification and authentication services before providing access to the service ta 
the client, 

IS 33, The system of claim 23, vvherei.a the request-servicing engine receives a 
request from a remote ciient. 

34, Ttie system of clasm 33, wherein the remote client receives the request frorr? 
a user. 

20 

^5. The system of claim 23, wherein the acc^ess-providing means de!ive?s an 
applet which controls the service to the client. 
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36. The system of claim 35. fuflher comprislfK) an appiet host engine. 

37. "Fhe system of claim 23. funher comprisirjg synchronization means for 
synchronizing iho workspace element. 

38 The system of claim 37, wherein the workspace element inciudes version 
■nformaOon. 

39. The system, of oialm 37, further comprising 

a synchronization agent for examining a system workspace element and 
generating system rasults; and 

a general-synchronization moduie for examining a workspace element on the 
client, for generatir?g client results, for con-iparing ihe client results and the system 
results, and for performing a responsive synchronization response. 

40 The system of claim 39, wherein the responsive synchronization response 
■nciudes generating a preferred version. 

4 1 . The system of claim 23, wherein the service uses tiie workspace element., 

42. ,A system capable of providing a service and a versson-synchronized 
workspace element from a ?equesti?ig client, comprising: 

storage means storino an address pointing to said service; 
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commLinications means for astabfehirsg a comsiiLmications lirsk with the 

client; 

requesl-recaivsng meanz coupleci to the cornrnunications means tor receiving 
a request for access to sasd service frory^ the cnent; and 

access--providirx:5 means coupled to the storage means and the establishing 
mear?s foi- providing access to rsaki service to the client. 

43. A computer-foadabte storage medium storir\g prograrn code for caiiSing a 
con^p'Uter to perform the steps of: 

stonr?g ar^ address pointirtg to saio service; 

establishing a communications iir^k with the client; 

receiving a request for access to said service tVorri the client; and 

providing access to said seivice to the client. 

44 . A niethod capable of providing a service and a version -synchronized 
x\forkspace element from b requesting client, comprising the steps of: 

storing an address pointing to said sen,'ice; 

establishing a comn-junications link with the client; 

receiving a request for access to said service from the ciiertt; and 

providing access to said service to tl-ie cliervt. 

45. A system capable of providir\g a service ar^d a version-synchronized 
worl<space element frorr? a requesting client, comprising; 

4;5 



a storage medium storing an address pointing to said workspace element; 
a conHTsunioaiions interface for esiabiishing a communicatians link with the 

cliant; 

a request-ssrvicing engine coupled to the comrnur>iGaiions interface for 
s receiving a request fo? access to saki workspace element frdn the client; arid 

means coupled to tlie stcnage niedlu^ni and the clier^f lr^,terface for providing 
access to said workspace element to the chent. 

46, Ttie system of clefm 46, wherein the storage medium further stcsres an 
so address pointir>g to the sen/lce. 

47. T he system of claim 45. further compdsmg a synchronization-stari module for 
ir^itiating the communicatiorvs interface to establish a communications link. 

i.> 48. Tt^e system of claim 46, wherein the service is located on a remote 
computer. 

49. T he system of claim 45, wherein the system includes the service. 
20 50, The system of claim 45, wherein the ser\,'ice Is iocated on the dient, 
5 i . The system of clain-; SO, wherein the client is protected by a firewall. 
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52 . The system of claim 51 , v/nereln the client fmtlier comprises a 
synchronizaiiorvstari. module for initiatsrig the communlcaiions interface to establish 
a communscations link 

53 The system of ciaini 51 , further comprising a key to enable access through 
the firewall, 

54. The system of claim 45, funher compnsirjg a security engine for performing 
idefKification and authentication services before providing acxess io the workspace 
element to the client, 

55. The system of claim 45, wherein ihe request-sesvicinq engine receives a 
request from a remote client. 

56. The system of claim 55. wherein tiie remote client receives the request from 
a user. 

57. The system of ciaim 45, wherein the access-providing rr^eans delivers an 
applet which corvtrois the service to the client. 

68. The system of claim 67, further cornprissrig an applet t>ost er^giru?. 
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59 The ?ystef?^> ox claim 45, further cosnprising synchron'siallon n^eans for 
synchroniziru.) the worKspace element. 

GO. The system of cJaim 59, wherein the workspace eierr^erst indudes versson 
5 information. 

61 , The system of dB\m 59, further comprising 

a synchronization agent for examinsng 3 system workspace etemerU and 
generatir^g system results; and 
\0 a general~synchron>zatlon module for e.xamin5ng a x-vorkspace elemeni on the 

ciient, for generating ciient resuits, for oorv^paring the client results ami the system 
resuits, and for performirsg a responsive syncf^roriizatiori response. 



62. The system of oialm 61 wherein the responsive s.ynchroniz3tion response 
15 inciudas generating a preferred version. 

63, The system of clasm 4(\ wherein the service uses the workspace eierrsenl. 



64. A system capable of providing a service and a version-synchronized 
20 workspace element from a requesting oiie?>i, corr^prising; 

storage means stohng an address pointing to sa;d workspace element; 
communications means for establishing a communications sink with the 

client; 
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request- servicing niear^s coupied to the comrnunscationa means for receiving 

a request for acce^ss Iq said workspace elerr^erst from Ihe cjienl: and 

access-providing rr?eans coupled to tr^e storage means and the request- 

serv'scir?9 means for providirsg access to said workspace element to the client. 

65. A computer-readabte storage medium storing program code for r:ausing the 
computer to perforrn the steps of: 

storir^g an address poirvhng to said workspace element; 
establishing s communiGaiions link with the client; 

receiving a request for access to said workspace elemer^t from the client; and 
providing stccess to said v,'"orkspace element to the ciient. 

66. A method capable of providing a service and a version -synchronized 
vi/orkspace eier^ient from a requesting client comprisir^g the steps of; 

storing an address pointing to said vs/orKspace element; 
establishing a communir:ayons link with the client; 

receiving a request tor access to said workspace eiefiieni from the client; and 
providing access to said workspace element to the ciient. 

67. I'he method of ciairr) 65, further comprising trie step of storing an address 
pointing to the service. 
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68 The method of ciaim 66, wherein the service i$ io< 
conipiiter. 



jcated on a remote 



69- The methoci of ciairr? 68, wherein the service Is located on the chent- 

70. The niefhod of ciasm G9, wherein the client Is protected by a firevvalL 

71 . The method of cia;m 69, further cornprising the step of inilk^ting establsshing 
a communications link from the client. 

72. The metliod of claim 69, further comprising the step of using a koy to enabte 
access through the fsrewafl. 

73. The fT^ethod of claim 66, furthser comprising the step of porfbrming 
identification arsd authentication services before providing access to the workspace 
element. 

74. The method of claim 66, further comprising the step of receix'ing a request 
tVorn a rerr^ote client, 

75. The method of claim 74, further comphssng ihe step of receiving the request 
from a user. 



76. The method of claim 66, further comprising the step of delivering an applet 
vvliich controls Ihe service to the client. 



77. The method of cla:m 66, furtr^er caf))phsing the step of syrschror^izlfKj the 
workspace elsment. 

78 Tne method of ciciirn 77, wherein the workspsce elernent includes version 
inforrnation. 

79, The method of ck^lm 77, further comprising the steps of 

examintng a system workspace element and generatlrK} system results; and 
examining a workspace elemerit on the client; 
generating client results; 

companng tr^e client results and the system results; and 
performing a responsive synchronization respor^se. 

80. The method of cialm 79, further oon^prislrKj step of generating a preferred 
version. 

81 The JTiethod of claim 66, wherein the sen/ice uscjs the workspace element, 

B2. I tie system of claim 1 , further comprising a user interface coupled to the 
applet engine and enabling a user to request access to the serv-er workspace 
element. 
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